Hello, welcome to the Wednesday, April 5th, 2017 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

On Monday, Apple took the unusual step to release a single update patch for iOS, iOS 10.3.1, that fixed vulnerability may lead

to a remote code execution on the Wi-Fi chip. Well, today Google, who found the vulnerability,

followed up with an interesting article about how to exploit prodcom's

Wi-Fi stack. Now this particular article doesn't refer to iOS or any Apple products,

but of course Broadcom's products are used across very different devices that utilize Wi-Fi. Google goes into quite a bit of

detail how to exploit these systems on a chip that implement Wi-Fi on modern mobile devices

and what the different vulnerabilities are that you may run into.

One of the root causes of many of the vulnerabilities being discovered here is that Wi-Fi

encodes data in type length value.

So you typically have one byte for the type, one byte for the length of the field,

and then value. While this sounds pretty simple and straightforward, this has caused

issues in particular if developers, for example, make certain assumptions as to maximum lengths that may be transmitted.

The probably most famous and most discussed issue here with Wi-Fi is the SSID, which is limited

in length according to the 80.11 standard, but of course you may encode much larger values than are proposed in the standard.

And to make things verse, also a lot of the protections aren't really implemented on those systems.

For example, there's typically no memory protection unit.

There are no stack canaries or similar tricks that would prevent simple stack-based buffer

overflows, which have been almost, I would say, eliminated at least the simple case in most

modern operating systems, but they still work on these systems on a chip.

So great article if you're into exploiting hardware.

And of course, also great if you happen to write code for systems like that.

...